dcrat | 7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8

General

Target

56ab99637a82f98cec56b3318878bc99.exe
Size

827KB
MD5

56ab99637a82f98cec56b3318878bc99
SHA1

9b5e3f53a3a7eeb37cf9d00e1787816e2e16fe0b
SHA256

7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8
SHA512

aacedc5ed4baf76c1551d865358d5c1662d2cac17bea9bbc35abecc6b145f4be50423b29c2e90cd0ff3e3d11874aee184b9d42c1f8a395f0fa2246c46bdba323
SSDEEP

12288:ws2MkHy0AkGWpU5cv+ALaOBULNrBjHo0+ET08QzjrWZIESls:oMGyZkGWPlaOBULdBjiN8QsDz

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	4792	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	4792	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	4792	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	4792	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	4792	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	4792	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4228	4792	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	4792	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	4792	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3528	4792	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	4792	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	4792	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	4792	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4316	4792	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	4792	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	4792	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	4792	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	4792	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3668	4792	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	4792	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	4792	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	4792	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3120	4792	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	4792	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	4792	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	4792	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	4792	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	4792	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	4792	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	4792	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4056	4792	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	4792	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	4792	schtasks.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/3860-1-0x00000000008D0000-0x00000000009A6000-memory.dmp	dcrat
C:\Recovery\WindowsRE\Registry.exe	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

56ab99637a82f98cec56b3318878bc99.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	56ab99637a82f98cec56b3318878bc99.exe

Executes dropped EXE 1 IoCs

Processes:

sysmon.exe

pid process

4700 sysmon.exe

pid	process
4700	sysmon.exe

Drops file in Program Files directory 15 IoCs

Processes:

56ab99637a82f98cec56b3318878bc99.exe

description	ioc	process
File created	C:\Program Files (x86)\WindowsPowerShell\unsecapp.exe	56ab99637a82f98cec56b3318878bc99.exe
File created	C:\Program Files\Windows Portable Devices\7a0fd90576e088	56ab99637a82f98cec56b3318878bc99.exe
File created	C:\Program Files (x86)\Internet Explorer\e1ef82546f0b02	56ab99637a82f98cec56b3318878bc99.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\dllhost.exe	56ab99637a82f98cec56b3318878bc99.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\5940a34987c991	56ab99637a82f98cec56b3318878bc99.exe
File created	C:\Program Files (x86)\WindowsPowerShell\29c1c3cc0f7685	56ab99637a82f98cec56b3318878bc99.exe
File created	C:\Program Files (x86)\Internet Explorer\SppExtComObj.exe	56ab99637a82f98cec56b3318878bc99.exe
File created	C:\Program Files\Windows Mail\fontdrvhost.exe	56ab99637a82f98cec56b3318878bc99.exe
File created	C:\Program Files\Windows Mail\5b884080fd4f94	56ab99637a82f98cec56b3318878bc99.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\f3b6ecef712a24	56ab99637a82f98cec56b3318878bc99.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\dllhost.exe	56ab99637a82f98cec56b3318878bc99.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\sysmon.exe	56ab99637a82f98cec56b3318878bc99.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\121e5b5079f7c0	56ab99637a82f98cec56b3318878bc99.exe
File created	C:\Program Files\Windows Portable Devices\explorer.exe	56ab99637a82f98cec56b3318878bc99.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\spoolsv.exe	56ab99637a82f98cec56b3318878bc99.exe

Drops file in Windows directory 2 IoCs

Processes:

56ab99637a82f98cec56b3318878bc99.exe

description	ioc	process
File created	C:\Windows\Registration\CRMLog\dllhost.exe	56ab99637a82f98cec56b3318878bc99.exe
File created	C:\Windows\Registration\CRMLog\5940a34987c991	56ab99637a82f98cec56b3318878bc99.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2512	schtasks.exe
2212	schtasks.exe
3528	schtasks.exe
5008	schtasks.exe
1420	schtasks.exe
2892	schtasks.exe
888	schtasks.exe
2796	schtasks.exe
4228	schtasks.exe
3668	schtasks.exe
928	schtasks.exe
2560	schtasks.exe
2708	schtasks.exe
2188	schtasks.exe
4056	schtasks.exe
1364	schtasks.exe
4556	schtasks.exe
4316	schtasks.exe
3640	schtasks.exe
1368	schtasks.exe
3120	schtasks.exe
2500	schtasks.exe
1936	schtasks.exe
1356	schtasks.exe
5108	schtasks.exe
2956	schtasks.exe
2580	schtasks.exe
3988	schtasks.exe
4604	schtasks.exe
4296	schtasks.exe
4688	schtasks.exe
5052	schtasks.exe
536	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

56ab99637a82f98cec56b3318878bc99.exesysmon.exe

pid	process
3860	56ab99637a82f98cec56b3318878bc99.exe
3860	56ab99637a82f98cec56b3318878bc99.exe
3860	56ab99637a82f98cec56b3318878bc99.exe
3860	56ab99637a82f98cec56b3318878bc99.exe
3860	56ab99637a82f98cec56b3318878bc99.exe
3860	56ab99637a82f98cec56b3318878bc99.exe
3860	56ab99637a82f98cec56b3318878bc99.exe
3860	56ab99637a82f98cec56b3318878bc99.exe
3860	56ab99637a82f98cec56b3318878bc99.exe
4700	sysmon.exe
4700	sysmon.exe
4700	sysmon.exe
4700	sysmon.exe
4700	sysmon.exe
4700	sysmon.exe
4700	sysmon.exe
4700	sysmon.exe
4700	sysmon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

sysmon.exe

pid process

4700 sysmon.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

56ab99637a82f98cec56b3318878bc99.exesysmon.exe

description pid process

Token: SeDebugPrivilege 3860 56ab99637a82f98cec56b3318878bc99.exe
Token: SeDebugPrivilege 4700 sysmon.exe

pid	process
4700	sysmon.exe

description	pid	process
Token: SeDebugPrivilege	3860	56ab99637a82f98cec56b3318878bc99.exe
Token: SeDebugPrivilege	4700	sysmon.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

56ab99637a82f98cec56b3318878bc99.exe

description	pid	process	target process
PID 3860 wrote to memory of 4700	3860	56ab99637a82f98cec56b3318878bc99.exe	sysmon.exe
PID 3860 wrote to memory of 4700	3860	56ab99637a82f98cec56b3318878bc99.exe	sysmon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\56ab99637a82f98cec56b3318878bc99.exe
"C:\Users\Admin\AppData\Local\Temp\56ab99637a82f98cec56b3318878bc99.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3860
- C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\sysmon.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\sysmon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Application Data\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Application Data\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\Registration\CRMLog\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Registration\CRMLog\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\Registry.exe

Filesize
827KB

MD5
56ab99637a82f98cec56b3318878bc99

SHA1
9b5e3f53a3a7eeb37cf9d00e1787816e2e16fe0b

SHA256
7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8

SHA512
aacedc5ed4baf76c1551d865358d5c1662d2cac17bea9bbc35abecc6b145f4be50423b29c2e90cd0ff3e3d11874aee184b9d42c1f8a395f0fa2246c46bdba323

Download Submit
memory/3860-0-0x00007FFA21443000-0x00007FFA21445000-memory.dmp

Filesize
8KB

Download
memory/3860-1-0x00000000008D0000-0x00000000009A6000-memory.dmp

Filesize
856KB

Download
memory/3860-3-0x00007FFA21440000-0x00007FFA21F01000-memory.dmp

Filesize
10.8MB

Download
memory/3860-36-0x00007FFA21440000-0x00007FFA21F01000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads